How to distinguish between fake and genuine Filezilla

It seems malware is everywhere these days, and many a user falls prey to it through emails, downloaded files and malicious websites.

The FileZilla FTP Client seems to be the latest target in this type of attack. Security researchers at Avast discovered this happening with versions 3.7.3 and 3.5.3 of the software. “We have noticed an increased presence of these malware versions of famous open source FTP clients”, the firm announces.

How to distinguish between fake and genuine Filezilla ?

The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.

The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.

Here is a image where you can distinguish between fake and genuine Filezilla.


The organization said it is difficult to prevent tainted versions of its software “since the FileZilla Project promotes beneficial redistribution and modifications of FileZilla in the spirit of free open source software and the GNU General Public License.”

The security vendor Avast found that the modified versions are nearly identical to the legitimate application. The icons, buttons and images are the same, and the malware version of the “.exe” file is just slightly smaller than the real one, Avast wrote on its blog.

What the fake Filezilla software can do ?

Inside the tampered FileZilla versions, Avast found code that steals login credentials for servers users are accessing. The username, password, FTP server and port are encoded using a custom base64 algorithm and sent to the attacker’s server, according to Avast.

“The whole operation is very quick and quiet,” Avast wrote.

FileZilla recommended its application be downloaded only from its website or SourceForge, one of its distribution partners. It also recommended to check the SHA-512 hashes of the unmodified version of FileZilla’s installer and executable, which it has published on its blog.


Here is a communication when the FTP client (v3.7.3) is sending log in information:

The following two tabs change content below.

Bibhuti Patnaik

Founder, Author at HashTricks
A young entrepreneur, designer and developer. Loves to play with codes and a hopeless fan of Chelsea.